Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Clarification of inbound only logging issue.

From: Erick Mechler <emechler () techometer net>
Date: Sun, 2 Feb 2003 14:39:15 -0800
:: I have set up a second instance of snort to log packets to a mysql
:: database.Everything works fine , except it only sees the inbound
:: packets. The rule is "log any any any -> any any" , I even tried "log tcp
:: $HOME_NET any -> $EXTERNAL_NET any", and it still only logs inbound
:: packets.

It really sounds like you should just be using tcpdump for this sort of 
thing.  If you aren't really doing any content filtering, or specific 
pattern matches, then just run tcpdump, e.g.,

  tcpdump -x -i [iface] host [mysql.db] and port 3306

As to why snort is only seeing the inbound packets, perhaps you have some 
asymetric routing going on?  Is your snort sensor on a span port that can 
see both inbound and outbound traffic?

Cheers - Erick




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: